Cloud computing provider Blackbaud was hit with a $3 million civil penalty by the Securities and Exchange Commission (SEC) for making misleading disclosures about a 2020 ransomware attack that affected more than 13,000 customers.
According to an SEC statement, South Carolina-based Blackbaud did not communicate about the scope of the data extortion malware attack and withheld material information about the scope of the incident.
In July 2020, Blackbaud confirmed that it made a ransom payment to help with data recovery efforts after ransomware actors infected its corporate network.
“Our Cyber Security team, along with independent forensic experts and law enforcement, successfully prevented the cybercriminal from blocking access to our system and fully encrypting files; and finally kicked them out of our system. Prior to blocking the cybercriminal, the cybercriminal deleted a copy of a subset of data from our self-hosted environment,” the company said at the time.
Blackbaud’s incident notice, which has since been removed from its website, said the attackers failed to access its customers’ credit card details, bank account information or social security numbers.
Now, the SEC says it found Blackbaud’s claim that the ransomware attacker failed to access donor bank account information and social security numbers to be misleading.
From the SEC statement:
“However, within days of these statements, the company’s customer relations and technology staff learned that the attacker had accessed and exfiltrated this confidential information. These employees did not communicate this information to senior management responsible for its public disclosure because the company failed to maintain disclosure controls and procedures.
Because of this flaw, in August 2020, the company filed a quarterly report with the SEC that omitted this material information about the scope of the attack and mischaracterized the risk of an attacker obtaining such sensitive information from donors as hypothetical.
“Blackbaud did not disclose the full impact of a ransomware attack despite its staff learning that its previous public statements about the attack were in error,” said David Hirsch, head of the Division of Cyber and Crypto Assets Unit. SEC compliance, noting that Blackbaud failed in its obligation to provide its investors with truthful and timely material information.
Without admitting or denying the SEC’s findings, Blackbaud agreed to cease and desist the violations and pay a $3 million civil penalty.
Related: Blackbaud says bank account details and SSNs were affected by the ransomware incident
Related: Cloud company Blackbaud pays ransomware operators to prevent data leaks
Related: FBI Warns of NetWalker Ransomware Targeting Businesses
Related: Law Enforcement, Cyber Insurance Driving Ransomware Success
